Privacy Policy

GitBrain SAS ("we", "us", "our") is an Engineering Intelligence SaaS platform that helps software engineering teams measure their effort, cost, and delivery performance.

GitBrain SAS is the data controller for personal data processed through the GitBrain platform and website. Privacy contact: privacy@gitbrain.ai — DPO contact: dpo@gitbrain.ai

We collect personal data only when there is a clear legal basis under GDPR Article 6 and a specific purpose. Below is a full breakdown by context.

Waitlist registration: name (consent), work email address (consent), company name (consent), role/job title (consent), team size (consent), use-case description (consent).

Platform usage — registered users: IDE activity metadata including file paths and session durations (contract performance); Git event metadata such as commit type and branch events — never diff content (contract performance); terminal session durations — not command content (contract performance); authentication data including hashed tokens (legitimate interest — security).

Technical data — all visitors: hashed IP address for security and abuse prevention (legitimate interest); user agent and browser language to deliver the correct locale (legitimate interest); aggregated anonymised page-level analytics via Plausible Analytics (legitimate interest).

What we never collect: source code content, file contents, commit diffs, keystrokes, clipboard data, screen recordings, audio.

The GitBrain marketing site uses no tracking cookies and no third-party advertising cookies.

Cookies in use: gitbrain_session (strictly necessary — authenticated dashboard session, session duration); XSRF-TOKEN (strictly necessary — CSRF protection, session duration); locale_pref (functional — language preference, 12 months).

Our analytics provider Plausible Analytics is cookieless and does not track individual users. No consent is required for our analytics under GDPR and ePrivacy rules.

Full details in our Cookie Policy at /cookies.

Waitlist registrations: 24 months from registration, or until you withdraw consent.

Platform activity metadata: duration of active subscription plus 90 days post-termination for data export.

Account data: 30 days after account deletion.

Server logs (hashed IP): 90 days.

Transactional email records (metadata only): 13 months.

Billing records: 7 years (French accounting obligation).

To request deletion of your data at any time: dpo@gitbrain.ai. We process deletion requests within 30 days.

GitBrain SAS is based in France. Some sub-processors are located outside the European Economic Area (EEA). In every case, we ensure adequate safeguards are in place: Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914).

Stripe: SCCs in place, EU entity available for EU billing.

Vercel: SCCs in place.

OpenAI: SCCs in place, data processed via API with contractual prohibition on training use.

If you are located in the European Economic Area, you have the following rights under GDPR Articles 15–22:

(a) Right of access (Art. 15) — receive a copy of your personal data. (b) Right to rectification (Art. 16) — correct inaccurate data. (c) Right to erasure (Art. 17) — request deletion. (d) Right to restriction (Art. 18) — limit how we process your data. (e) Right to data portability (Art. 20) — receive your data in a machine-readable format. (f) Right to object (Art. 21) — object to processing based on legitimate interests. (g) Right to withdraw consent — at any time, without affecting prior lawful processing.

To exercise any of these rights: email dpo@gitbrain.ai with subject line 'GDPR Data Request — [your right]'. We respond within 30 days.

Right to lodge a complaint: if we have not handled your request appropriately, you may lodge a complaint with your national supervisory authority. In France: CNIL (www.cnil.fr).

All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256.

Access to production systems requires multi-factor authentication and is restricted to authorised personnel under the least-privilege principle.

The local agent authenticates via short-lived signed tokens. No credentials are stored in plain text on the device.

We perform regular dependency audits and security reviews. Critical vulnerabilities are addressed within 24 hours.

Security vulnerability disclosure: security@gitbrain.ai

GitBrain does not make decisions that produce legal or similarly significant effects using fully automated processing. All engineering metrics are provided as informational tools; human managers retain decision-making authority.

The GitBrain service is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If you believe we have inadvertently done so, contact privacy@gitbrain.ai.

We will notify registered users by email at least 14 days before any material changes take effect. The current version is always at /privacy-security.

General privacy questions: privacy@gitbrain.ai

GDPR rights requests: dpo@gitbrain.ai

Security vulnerability disclosure: security@gitbrain.ai

General enquiries: hello@gitbrain.ai